W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Password generation classes

From: Jonathan Kingston <jonathan@jooped.com>
Date: Wed, 30 Sep 2015 00:07:14 +0000
Message-ID: <CAKrjaaWpj+koHNX0JoegJbv2ADMa=7_-iT1C68+FrmJ0tGQGEA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
As to create somewhat of a new topic diversion on this group I wanted to
table the discussion of password creation.

The Credential management API at some point will need to allow users to
create passwords somehow.

The core issues as I see it are:
- Sites create schemes that users can't understand
- Sites are under the illusion that limiting down the character set to
include x upper, x digits, and x special chars makes passwords much stronger
- Sites have a finite storage limitation
- Sites have a processing limitation
- Users are likely to pick bad passwords so some of these rules, limits and
design choices have happened because of that

As I am purely talking about auto generation of passwords, I think:
- The user is no longer an issue
- Characters may be a design limitation to what a site can store, however
in implementing the Credential Management API we should assume validation
should change
- base64 compatible encoding is ideal for storage
- The closest to random passwords is a design goal
  - Computational power of the user agent and algorithm complexity becomes
an issue instead
- Storage and processing are still issues

I started the discussion here of using credential classes that cover
specific use cases whilst also stop the website making poor choices:
https://github.com/w3c/webappsec/issues/250#issuecomment-136005063

Kind regards
Jonathan
Received on Wednesday, 30 September 2015 00:07:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC